9

I'm trying to come up with ways to speed up my secure web site. Because there are a lot of CSS images that need to be loaded, it can slow down the site since secure resources are not cached to disk by the browser and must be retrieved more often than they really need to.

One thing I was considering is perhaps moving style-based images and javascript libraries to a non-secure sub-domain so that the browser could cache these resources that don't pose a security risk (a gradient isn't exactly sensitive material).

I wanted to see what other people thought about doing something like this. Is this a feasible idea or should I go about optimizing my site in other ways like using CSS sprite-maps, etc. to reduce requests and bandwidth?

Dan Herbert
  • 99,428
  • 48
  • 189
  • 219

4 Answers4

2

Browsers (especially IE) get jumpy about this and alert users that there's mixed content on the page. We tried it and had a couple of users call in to question the security of our site. I wouldn't recommend it. Having users lose their sense of security when using your site is not worth the added speed.

Chris Van Opstal
  • 36,423
  • 9
  • 73
  • 90
1

Do not mix content, there is nothing more annoying then having to go and click the yes button on that dialog. I wish IE would let me always select show mixed content sites. As Chris said don't do it.

If you want to optimize your site, there are plenty of ways, if SSL is the only way left buy a hardware accelerator....hmmm if you load an image using http will it be cached if you load it with https? Just a side question that I need to go find out.

JoshBerke
  • 66,142
  • 25
  • 126
  • 164
  • "I wish IE would let me always select show mixed content sites." - [It does.](http://blogs.msdn.com/b/askie/archive/2009/05/14/mixed-content-and-internet-explorer-8-0.aspx) :) – Chiramisu Jul 18 '12 at 19:43
0

Be aware that in IE 7 there are issues with mixing secure and non-secure items on the same page, so this may result in some users not being able to view all the content of your pages properly. Not that I endorse IE 7, but recently I had to look into this issue, and it's a pain to deal with.

Elie
  • 13,693
  • 23
  • 74
  • 128
0

This is not advisable at all. The reason browsers give you such trouble about insecure content on secure pages is it exposes information about the current session and leaves you vulnerable to man-in-the-middle attacks. I'll grant there probably isn't much a 3rd party could do to sniff venerable info if the only insecured content is images, but CSS can contain reference to javascript/vbscript via behavior files (IE). If your javascript is served insecurely, there isn't much that can be done to prevent a rouge script scraping your webpage at an inopportune time.

At best, you might be able to get a way with iframing secure content to keep the look and feel. As a consumer I really don't like it, but as a web developer I've had to do that before due to no other pragmatic options. But, frankly, there's just as many if not more defects with that, too, as after all, you're hoping that something doesn't violate the integrity of the insecure content so that it may host the secure content and not some alternate content.

It's just not a great idea from a security perspective.

JayC
  • 7,053
  • 2
  • 25
  • 41
  • JayC's answser is misleading. DO NOT IFRAME the secure content within an insesure parent. If the unsecure parent frames/pages are compromised, then they own the secure frame, minimally by putting a transparent iframe over the top and intercepting/redirecting you to their content (typically to capture the users credentials). Never mix secure and insecure content on the same page. –  Oct 30 '12 at 17:10
  • @TheOtherGeoff: That's precisely another good reason it's "not a great idea". But when the client insists, the client is company that is advised with regard to your project by committee of people, and you are working for a minor branch of a company on a minor branch of the project (with disproportionate publicity) trying to keep the client happy, and your boss, who seems to at least partially understand the issue, apparently desires more to lay low to find the right point in time to retire..you sometimes just have to go with the flow. I never meant to imply "pragmatic" was *secure*. – JayC Oct 31 '12 at 14:06